Speech Transcript – Brad Smith, Anti-Spam News Conference with the Office of the New York State Attorney General

Transcript of Anti-Spam News Conference
Eliot Spitzer, Attorney General, State of New York
Brad Smith, Senior Vice President, General Counsel, Corporate Secretary, Microsoft Corporation
Office of the New York State Attorney General
New York, N.Y.
December 18, 2003

Eliot Spitzer: Good morning folks. Thank you for being here. First, let me tell you who is up here with me. It’s a pleasure to have standing with me to my immediate right Brad Smith, who is the Senior Vice President and General Counsel at Microsoft. Also as a matter of both disclosure and friendship, I should disclose, a college classmate and a friend for 20-some odd years now. To his right is Stephen Kline in the Attorney General’s Office in New York who had a great deal to do with making this case. Ken Dreifach, who is the head of the Internet Bureau here in the AG’s office. And, to his right Tim Cranton, who is a Senior Attorney at Microsoft. Thank you folks, all, for being here. And for the collaboration you are seeing here today.

I’ve always thought of spam – which is the issue we are talking about here today – as being the intersection of junk mail and telemarketing on steroids. It is not in and of itself, per se, illegal. But we all know it invades privacy, is burdensome, it is having an enormously detrimental impact on the Internet and the viability of e-commerce. Spam therefore has become, and rightfully so, the focus of a fair bit of prosecutorial attention because we are all driven by a desire to see e-commerce succeed. And driven by a desire to eliminate that spam which is illegal. And it becomes illegal, of course, when spam – which may be legitimate if it is just the proliferation of e-mail messages – it becomes illegal when it is paired with deceptive commentary, fraud or other illegal conduct. What you are seeing today is, what I hope, the first of many very successful partnerships between government and the private sector. We are driven by a similar objective – occasionally and marginally different perhaps – obviously Microsoft has been a world leader in technology and wants to make sure that its technology succeeds. We in government are more purely directed occasionally at law enforcement. But, of course, it is the combined effort and concern that we share to make this new technology succeed.

The case we are talking about today is a critically important one. And let me just tell you who the parties are, and then I’ll describe a little bit of the underlying facts and give Brad a chance to speak as well, of course. Synergy 6, who is one of the defendants we are suing today is a Delaware corporation with New York headquarters. They are an online marketing company and essentially an e-mail marketing company that survives by forging partnerships with other online marketing companies. Synergy 6 president, Justin Champion, who is also a defendant here today. OptInRealBig another of the corporate defendants, is a Nevada company – it is an e-mail marketing company that has forger partnerships with Synergy 6. And Scott Richter, who is the president of OptInRealBig is also, obviously, a defendant in today’s action. OptInRealBig is a Nevada company but it acts and sends e-mails worldwide. Just to put this in perspective, the calculations that have been done gives the sense that Scott Richter and OptInRealBig is the third-largest spammer in the world. Now, I add as a caveat that there is some fluidity to these measurements. But it is the general consensus that he is the third-largest spammer in the world. In this day of holiday cards does that mean he sends out 100 messages a day? No. Per day, the consensus is 250 million e-mails. 250 million spam e-mails per day that Scott Richter – best estimates, and I emphasize these are estimates – 250 million per day. The burden of that on the system is enormous. And Brad, I know, will talk about that briefly.

What is it, from a law enforcement perspective, these defendants do and what it their objective? Synergy 6, in order to market its various gimmicks, its various products – many of which are scams – but nonetheless what it does is hire a company such as OptInRealBig and say to OptInBig, we want you to send out millions and millions of e-mails to unsuspecting consumers and hopefully they will respond to the gimmicks we are marketing. You have, up here, two of the examples, two of the products. One of them is free diamond earrings – I’m not sure anybody would uh, would probably check the carats of those diamonds. But, uh, that is a separate issue. Um, sonic clean, guaranteed to probably give you a cavities – uh, that is a separate issue. (Laughter.) Anyway, these are some of the products that they market but it only works if these e-mails get through. The reason they send 250 million spam e-mails a day is that people have created filters to avoid being bombarded by unsolicited e-mails. That, as we well know, when you go home and open your mailbox hopefully you have set up systems to keep out the e-mails you don’t want or else you will be inundated by junk mail and won’t be able to get to those messages that you really want. What these folks have done is fraudulently load into their e-mails misinformation, deceptive information that is designed to not only fool the ISPs – that themselves spend a great deal of time trying to weed out the e-mails – but also the individual consumers.

Now, how are we going to prove this and what do we want? The way we are going to prove this is — and this is really where the relationship with Microsoft was not only so important and valuable, but so remarkably beneficial. Microsoft set up what they call spam traps. You can think of this as in the summer, flies are swarming around and you set up a fly trap. And the flies are drawn into this little zapper and so much for the flies. What the spam traps do is attract spam. Just because there are e-mail addresses that spam necessarily will find because of the way they disseminate the spam. Microsoft set up these spam traps and we received, or Microsoft received, 8,000 spams from Scott Richter during the month of May 13 through June 13 of this year. In that one month, the spam traps that Microsoft set up attracted 8,000 spam e-mails. We examined these 8,000 spam e-mails. In those 8,000 spam e-mails we found 40,000 fraudulent statements. 40,000, an average of five per e-mail. What types? False sender ID. False e-mail sender addresses. False transmission path IDs. False subject lines. Why do they do this? Again, the reason that they load this deceptive and misinformation into the e-mails is so that the ISPs and the filters -the ISPs have set up their own filters – filters that have been set up by consumers will be circumvented. E-mails made their way through not only to Microsoft spam traps, of course, but also to ordinary consumers. Once the e-mails are in there with all this false information they are hoping you will open and respond. Forty thousand deceptive comments, deceptive statements. What we are going to do as a consequence is use our existing jurisdiction to bring an injunction against the companies who are the defendants here who I have listed – Synergy 6, OptInRealBig, Scott Richter, Justin Champion and a few other individuals – seeking to force them to stop bombarding New York state consumers and all consumers with fraudulent statements. We are going to force them to stop making fraudulent statements, shut down their systems, we will seek monetary damages – $500 per fraudulent statement. Now, why do I emphasize this? Because we not only want them to be shut down, we want to prove to others who are spammers that the penalty that will be imposed upon you will make it financially unviable. The model of spamming they have set up will be proven to be a money loser. When we catch you and we go back and find each one of those fraudulent comments, you will pay a price of $500 per comment. We will drive them into bankruptcy, and therefore others will not come into the marketplace to take their place. If we’re going to succeed, we not only have to shut down those who are there now but make it evident that there is no viable business model here and that is why the penalty we are going to impose is such a critical part of this. Let me just sum up by saying, and conclude by thanking Microsoft. This really is one of those cases that would not have been made without collaboration between the AG’s office and Microsoft. It is collaboration where we have some prosecutorial authority, they have technological skills, they have resources, they have know-how. We have a joint interest – it is an interest that is shared by consumers, the marketplace and ultimately the success of e-commerce. And so it is a real pleasure to have worked with Brad and with Microsoft in making this case. There is still lots of work to be done. Loads of cases to be made like this – not only here in New York – but I’m sure Brad will work with other government entities as well. But, Brad thank you so much and thank you for being here.

Brad Smith: First and foremost I would like to thank the Attorney General and Stephen and Ken and all the people in his office who made today’s announcement possible. As Eliot mentioned, we work with government agencies on this kind of problem around the world and the level of expertise and ability in this office is truly impressive. It is very clear that the New York Attorney General’s office is a leader in fighting this kind of Internet fraud. Not only in the states, but really on a global basis. Fighting this type of intentionally devious and deceptive spam is not something that the technology industry or law enforcement can do alone. But it is something we can do effectively together. Working with this type of collaboration we can give you the ability to retake control of your Inboxes. By pooling our strengths in this case, as you heard, we were able to combine Microsoft’s technology tools and the Attorney General office’s subpoena power and enforcement strengths. And together we were to move forward against not only one of the world’s largest spamming networks but a spamming network that basically held out itself as above the law. As the Attorney General mentioned, the action we’re taking today is really on some of the worst types of spam. Spam that was intended to deceive consumers who received it in their In boxes. They did so by really abusing 514 computers around the world. Computers that had been compromised for security purposes. Computers that belonged to and used by legitimate businesses – in some cases, elementary or secondary schools. In some cases, hospitals. In some cases, government ministries in the United States or internationally. In most cases, all of these entities these were unwitting participants. They were innocent participants. But it was their computers that were being used and misused by the people engaging in this network.

These were intentional, deceptive attempts to mislead consumers into opening e-mail they otherwise would have discarded. I think that this case is also important for some other reasons as well. One is I think this case has provided us with a new roadmap for investigating and prosecuting spammers around the world. We were able to use what we call a new root to branch investigative approach that really has rooted out an entire spamming network. And this is the first time that we have ever been able to do this. It’s worth taking a moment to look at this chart here. And you can see here the way that this works. There was a compromised computer, a compromised IP address in New York State. And we at Microsoft were able to identify that this computer was being misused and was the source of literally tens of millions of spam e-mails. We were able, working with the Attorney General’s office, to provide that information and they were able to identify that the e-mails that were going across that computer were coming from a company called Synergy 6. Synergy 6 was in fact subcontracting work to Scott Richter and his company – a Nevada company, he lives in Colorado and his company is called OptInRealBig. In fact, Scott Richter in turn was relying on people in his employee to in effect send these e-mails – these are people who work at a company called Delta 7 Communication. Their principals are located in Texas and Washington State. And in turn, the e-mails that were being sent by Delta 7 were going through this computer and over 500 other compromised computers and they were inundating consumers around the world. Today, in addition to the action the Attorney General’s office is filing against the defendants involved in this network, we, too, at Microsoft are filing suit against these defendants in court in Washington State. We are seeking damages of $18.8 million. If these people have any money left after the New York Attorney General’s lawsuit in New York comes to a close, we will be happy to pursue the remainder. Because, as you heard, the goal here is clear, we need to send a strong message that this is illegal and it doesn’t pay.

We need to change the economics of spam and we need to prove that spam business models will fail and there are better ways for people to make money by engaging in legitimate pursuits. The other thing that I think is really important about today’s case is that we were really able to penetrate working together two levels of deception. The kind of levels of deception that people who are engaged in this are relying upon to immunize themselves from accountability under the law. They first relied on a technological layer of deception – the use of these compromised computers to try to deceive law enforcement and technology companies and consumers – to try and hide their tracks and remove from view the people who are hiding behind their computer screens and sending these e-mails out. Using technology tools we were able to penetrate that first level of deception. They really relied on a second level of deception and that was an operational layer of deception, if you will. It is this multi-pronged operational model where there was one company contracting to another and a second company was in turn contracting with a third in the hopes that each one would be able to, if necessary, point the finger at someone else. But the reality is that today, as you’ve heard, all of them are where they should be. The finger is pointing at them. So, I do think that this an important case, it not only has managed to bring to two courts the third largest spammer in the world, but more importantly we’ve created a roadmap we can follow in other cases and sent a message that is clear that if people think that they can do this and hid their tracks and still make money. A new day has dawned, working together the technology industry and law enforcement are able to do what it takes to bring these people to accountability in a courtroom. Good day.

Eliot Spitzer: Thank you, Brad. I just want to thank you, Brad, for being here and also for acknowledging that we can go after the money first. (Laughter.) We’re going hold you to thatbut, rumor has it, that we need it more. That’s a separate issue. Who has a question?

Question 1: When the Attorney General’s office began looking at it, was it immediately apparent that it was fraudulent, or did you have to look through it a little bit over a period of time before.

Eliot Spitzer: Let me take a quick stab at that although I will quickly confess the work of looking through the e-mails was done by others and those up here and I thank them — I said that before — but, what made it apparent, if you look at some of the e-mails up there, you’ll see the “From” and “To” lines were identical and the subject “Peter Stubbs” – very often, truth in fact, that some of their deceptive practices were somewhat obvious and easy to see through. They would simply clone the same “From”, “To” and “Subject” as a way of disguising the genuine “To”, “From” and “Subject” because you saw those three are identical. Many consumers would say “Wait a minute, I’m receiving it, it’s my name and it is also from me, the subject is me” so they’d be intrigued and open it – which was their intent – but it was also a sign to investigators that these are probably cloned or fraudulent pieces of information. Yes, ma’am, I think you were next.

Question #2: Will this be affected at all by the current spam legislation?

Eliot Spitzer: Our litigations will not be affected by the new federal law. In truth, the type of action that we’re bringing here is the very type of action the new federal statute envisions. And there is a nice alignment here that the deceptive practices that are the foundation of our case are the very deceptive practices that are outlawed in the federal statute. We hope there will be other cases brought by other jurisdictions that will use the federal statute’s jurisdictional basis if they didn’t already have the capacity to act. But the actions are really very similar. Our action is similar to that which was envisioned by the federal statute. I’m sorry, Brad

Brad Smith: I was just going to add that the good news for consumers is the enactment of the Can Spam legislation. New York has been at the forefront of this type of enforcement. Seventeen states enacted new or modified existing, in effect, anti-spam laws this year. But the good news is that as of January ,1 there is a national standard with tough penalties that will apply in every state regardless whether the existing state law is strong.

Question 3: In the course of your investigation, did you come up with any sort of estimate of how profitable this business has been for spammers and will the damages you seek put much of a dent into their profits?

Eliot Spitzer: Let me give you a reference point – which is only one small data point. We believe that Scott Richter is clearing several million dollars a month in profit. And so we have reason to believe that he is profiting substantially from the enterprise. We also have reason to believe that the damages we seek – again, the $500 per violation – will be sufficient to wipe out whatever profit he has made. And this goes back to the point that both Brad and I are trying to focus on – is that at the end of the day, others should take away from this case the lesson that it will not be a profitable type of abuse. Will not be profitable, criminal conduct, we will drive them into bankruptcy, we hope.

Question 4: What about servers offshore, outside the U.S. on some remote island somewhere? Does that just drive spammers from the United States and they’ll just launch them from elsewhere?

Eliot Spitzer: As a jurisdictional matter, we have the capacity to bring action against an offshore entity that sends e-mails here and tries to transact business here. And we can get judgments against them. Enforcing the judgments, if all of the owners are offshore, if all of their assets are offshore those become a bit more problematic but we will go through the effort of doing what needs to be done. The cause of action still rests, we have jurisdiction over their behavior, we can still get court judgments against them, it is only the point of enforcing those judgments. If they themselves want to take all of their assets and live overseas, it becomes tougher. But, first I’m not so sure that many folks would want to do that, and we will still pursue them overseas with offshore judgments.

Brad Smith: I think that is a key point. If the Scott Richters of the world want to spend the rest of their lives living in a country like Libya and never moving, it may be a challenge to prosecute them. But if they want to live as they do in the United States or pretty much any other country, and simply move their computers offshore, we will get them. And that is what this shows in this case. Many of the computers moved off shore. But, the reality is that 80 percent of the 50 top spammers in the world live and work in the United States. They can’t avoid the long arm of the law simply by moving their computer somewhere else.

Eliot Spitzer: We won a case several years ago against a gambling enterprise that was offshore, that was overseas, and the reason we pursued it was to establish the jurisdictional principle that even if the computers are offshore, if their behavior manifests itself here in New York State, we have jurisdiction.

Question 5: This question is for Mr. Smith. You’re working with New York State. Are there any other states you are working with on a similar program?

Brad Smith: We are always working with a variety of governments here in the United States and overseas – especially in Europe and Asia, where the spam problem has really exploded over the last few years. I think we’ll continue to do that. We’ve really been fortunate to be able to rely on a few offices that have been trend setters in this area – the New York Attorney General’s office, the Washington state Attorney General’s office, and the Federal Trade Commission in Washington. Ultimately, as Eliot made clear, it will take a combination of efforts by other law enforcement agencies and by other technology leaders, companies like AOL, Yahoo! They are all doing a great job with this as well. It is a big problem and we will be successful. But, we will only be successful if we are all focused on this and we all work together.

Question 6: Brad, last summer you filed suits against, I believe, 15 people and later found out that one of them was the wrong guy. Did you have to take extra precautions this time to make sure you had the right guy?

Brad Smith: There is no doubt in our minds that the lawsuits today are being filed against the right people. The evidence is really quite impressive if you look at what you’ve already seen in terms of Scott Richter. We are also filing today five other lawsuits against other spamming organizations that use this same compromised computer in New York State. One of the lawsuits that we filed in June has already gone to judgment and we were awarded in that judgment in excess of $30 million in that case. There was a case in the United Kingdom – that you point out – that it turns out somebody’s computer was being used, but that person was not in fact the person that was using it. We’ve been very careful and will continue to be. It is a challenge, there may be times when the first person turns out not to be the ultimate person. But we have no lack of confidence about the cases being filed today.

Question 7: One of the issues here seems to be a question of affiliates. The Richter organization and Synergy 6, they just had affiliate programs, hundreds of people signed up who were commissioned for sending e-mails with the ultimate spammer Delta 7, as I understand, sent the mail and earned commissions from them. Can you talk about how you build a case against Richter, who didn’t seem to send those mails and Synergy 6?

Eliot Spitzer: Let me just say this. We don’t like to get into trial evidence at this stage of the process. We have absolutely no doubt we will be able to establish liability up that chain of command. Those who try to create buffers, as you point out, whether corporate or individual, and say, “I didn’t send it, someone else did,” and pretend there was some arm’s-length relationship between the two, we will pierce into those relationships and prove without a doubt that those, including Richter, and the corporations themselves are liable for the misbehavior of those that actually stand there and push the buttons.

Brad Smith: I would just add, for example ,the lawsuits are based on six different statutes – two federal, two New York, two Washington State. The legal standard under one of them, for example, holds liable not only the person that presses the “Send” key, but anyone who assists in the transmission of this type of illegal e-mail. And as you look at the court documents, I think it will become abundantly clear that the word “assist” is an understatement in describing what happened here.

Question 8: What will happen to the money? Will it go to the state, or is Microsoft getting any portion of the damages?

Eliot Spitzer: It will be apportioned based on need, so New York will be getting the money. (Laughter.) Thank you, all, so much.